[Security] Build(deps): Bump @ckeditor/ckeditor5-list from 12.1.0 to 27.0.0

[dependabot-preview]

Bumps @ckeditor/ckeditor5-list from 12.1.0 to 27.0.0.

Release notes

Sourced from @ckeditor/ckeditor5-list's releases.

v27.0.0

Release highlights

We are happy to announce the release of CKEditor 5 v27.0.0.

Starting from this version, collaboration features release notes will be included in the CKEditor 5 changelog. Changes for the previous releases are available on https://ckeditor.com/collaboration/changelog/.

This release introduces some new features:

• The new text part language feature allows you to define the language for each passage of content written in multiple languages. This helps satisfy the WCAG Success Criterion 3.1.2 Language of Parts.
• Support for drag and dropping of textual content and block objects (like images and tables) within the editor.
• Support for dropping HTML content from outside of the editor into the editor.
• Alignment can now be set using classes.
• Typing [x] will now insert a checked to-do list item.
• Support for bubbling of view.Document events.

MAJOR BREAKING CHANGES ℹ️

Note: Check out the Migration to CKEditor 5 v27.0.0 guide for more detailed information on how to upgrade to this version.

• clipboard: The inputTransformation event is no longer fired by the Clipboard plugin. Now the ClipboardPipeline plugin is responsible for firing this event (see #9128).
• clipboard: The clipboardInput and inputTransformation events should not be fired or stopped in the feature code. The data.content property should be assigned to override the default content instead. You can stop this event only if you want to completely disable pasting or dropping of some content. Read more about the clipboard pipeline in the migration to v27.0.0 guide. See #9128.
• Introduced bubbling of the view.Document events, similar to how bubbling works in the DOM. This allowed us to re-prioritize many listeners that previously had to rely on the priority property. However, it means that existing listeners that use priorities may now be executed at a wrong time. The listeners to such events should be reviewed in terms of when they should be executed (in what context/element/phase). Read more about event bubbling in the migration to v27.0.0 guide. See #8640.

Features

• alignment: Introduced an option to use classes instead of inline styles. Closes #8516. (commit)
• autoformat: Typing [x] will insert a checked to-do list item. Closes #8877. (commit)
• clipboard: Implemented basic support for content drag and drop. Closes #9128. (commit)
• clipboard: The contentInsertion event is fired from ClipboardPipeline to enable customization of content insertion (see #9128). (commit)
• core: Created the universal caption icon. Closes #9196. (commit)
• engine: Introduced bubbling of the view.Document events, similar to how bubbling works in the DOM. Bubbling allows listening on a view event on a specific kind of element, hence simplifying code that needs to handle a specific event for only that element (e.g. enter in blockquote elements only). Read more in the Event system deep-dive guide. Closes #8640. (commit)
• engine: Introduced ArrowKeysObserver. See #8640. (commit)
• language: Added support for setting the text part language. Closes #8989.

Bug fixes

• engine: DataController#toView() should have a default value for the options parameter. Closes #9293. (commit)
• highlight The remove highlight button now also gets disabled along with the main highlight command. Closes #9174. (commit)
• utils: The EmitterMixin#listenTo() method is split into listener and emitter parts. The ObservableMixin decorated methods reverted to the original method while destroying an observable. (commit)

Other changes

• clipboard: The paste as plain text feature was extracted to the dedicated PastePlainText plugin (see #9128). (commit)
• engine: The mouseup event is fired by the MouseObserver (see #9128). (commit)
• table: The mouseup event is no longer fired by the MouseEventsObserver from the @ckeditor/ckeditor5-table package (now handled by MouseObserver) (see #9128). (commit)
• typing: The TwoStepCaretMovement feature is now using bubbling events. Closes #7437. (commit)
• utils: Added the language.getLanguageDirection helper function allowing to determine the text direction based on the language code. (commit)

... (truncated)

Changelog

Sourced from @ckeditor/ckeditor5-list's changelog.

Changelog

All changes in the package are documented in the main repository. See: https://github.com/ckeditor/ckeditor5/blob/master/CHANGELOG.md.

Changes for the past releases are available below.

19.0.0 (2020-04-29)

Other changes

• Improved performance of processing (loading) long lists. Closes ckeditor/ckeditor5#6581. (b52db48)

18.0.0 (2020-03-19)

Other changes

• Updated translations. (92c4ec0)

17.0.0 (2020-02-19)

Bug fixes

• Focus the editor before executing toolbar buttons' command. See ckeditor/ckeditor5#353. (4af8783)

Other changes

• Updated translations. (f87974b)

16.0.0 (2019-12-04)

Other changes

• Updated translations. (53e1503)

15.0.0 (2019-10-23)

MAJOR BREAKING CHANGES

• The structure of the to–do list has changed (both in the editing and in the data). Please refer to the documentation for the information about used class names as it can impact the existing styles of your application.

Features

• Introduces content styles for to–do lists. Unified to–do list representation in the editing and data. Extracted feature styles to a todolist.css file. Closes #147. Closes ckeditor/ckeditor5#2063. (5605663)

Bug fixes

... (truncated)

Commits

• bf30aaa Release: v27.0.0.
• 171b24a Internal: Updated dependencies. [skip ci]
• 408e327 Update packages/ckeditor5-list/docs/features/todo-lists.md
• bf1908c Docs: markdown update.
• 358a653 Other: Optimized icons. [skip ci]
• e36175e Improved handling of repeating characters
• b45ce2c Merge branch 'master' into i/2664-dnd
• 78c0d63 Merge branch 'master' into i/8640-bubbling-events
• d1b3e3c Merge branch 'master' into i/2664-dnd
• 5f7b554 Release: v26.0.0.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Regular expression Denial of Service in multiple packages

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Affected versions: ["<= 26.0.0"]